Agentic AI in the Enterprise Demands Zero Trust and Human Accountability, Says MAST Consulting
Abhay Pandey, founder and CEO of MAST Consulting, warns that agentic AI systems capable of triggering workflows and accessing enterprise systems require Zero Trust architecture, ISO/IEC 42001 alignment, and strict human approval thresholds or they become operational and compliance liabilities.

Business executive reviewing an agentic AI governance dashboard in a modern UAE office representing enterprise cybersecurity accountability and Zero Trust principles
Enterprises across the UAE and broader GCC are moving quickly to deploy agentic AI systems, platforms capable not just of generating recommendations or producing content, but of interacting directly with enterprise environments, triggering workflows, calling external APIs, accessing databases, and making operational decisions without waiting for human instruction at each step. That shift, while operationally powerful, is creating a cybersecurity and governance gap that many organisations have not yet addressed with the seriousness it demands.
Abhay Pandey, founder and Chief Executive Officer of MAST Consulting, argues that organisations entering this phase of AI adoption are significantly underestimating the degree to which agentic deployment changes the risk profile of their AI investment. The governance frameworks most enterprises currently have in place were designed for a fundamentally different category of AI tool. As MENA Cyber Wire has previously reported, agentic AI tools are already running in enterprise environments across the GCC, often without security team oversight.
Why Agentic AI Is a Different Risk Category
The distinction between generative AI and agentic AI is not merely technical. It is a risk category change. A generative AI system that drafts a contract clause, summarises a board report, or produces a market analysis is acting on data and producing output for a human to review and act upon. A human remains in the loop between the AI output and any real-world consequence.
An agentic AI system operates differently. It can receive a high-level instruction and then independently access the accounts payable system, retrieve invoice records, compare them against procurement data, initiate approval workflows, send communications to suppliers, and escalate exceptions, all without a human reviewing each individual action. The human gave one instruction. The AI took dozens of actions across multiple enterprise systems.
"Agentic AI should not enter the enterprise as an open-ended tool," Pandey said. "It needs to be deployed within a defined operating model, where the system knows what it can do, what it cannot do, and when human approval is required. That means clear decision boundaries, approval hierarchies, access controls, audit trails, and risk thresholds before the first use case goes live."
The risk of getting this wrong is not hypothetical. Four critical vulnerabilities in OpenClaw, an AI agent framework, were recently disclosed, demonstrating how agentic AI runtime privileges can be turned against the enterprise environment itself. The attack surface created by autonomous agents is new, and most existing security tooling was not built to address it.
The Six Primary Cybersecurity Risks
Pandey identifies six primary cybersecurity risk categories specific to agentic AI deployment, each of which requires dedicated controls rather than reliance on existing enterprise security architecture.
The first is data leakage. Agentic systems with broad data access can exfiltrate sensitive information to external services, log files, or third-party APIs, intentionally through prompt injection or unintentionally through misconfigured integrations, without any of the traditional data loss prevention signals that security teams monitor for.
The second is prompt injection. Unlike conventional software vulnerabilities that require code execution, prompt injection attacks manipulate an AI agent's behaviour by embedding malicious instructions within data the agent processes. A supplier invoice that contains hidden instructions telling the agent to approve a fraudulent payment, or an email that redirects an AI assistant to forward sensitive documents to an external address, exploits this vector. This attack surface does not exist in conventional enterprise software and most enterprise security tools have no visibility into it.
The third is excessive access privileges. The operational convenience of giving an AI agent broad system access to enable it to complete complex multi-step tasks is in direct tension with the principle of least privilege. Agents given standing access to financial systems, HR records, customer databases, and communication platforms represent a significant lateral movement opportunity if the agent is compromised, manipulated, or malfunctions.
The fourth is insecure API integrations. Agentic systems frequently interact with external services through APIs. Poorly secured API integrations create attack paths that threat actors can exploit either by compromising the agent's API credentials or by manipulating the data returned by external services to influence the agent's decisions.
The fifth is biased or non-compliant outputs with operational consequences. In a generative AI context, a biased output is a document a human can review and reject. In an agentic context, a biased output might be a hiring decision, a credit approval, a regulatory filing, or a trading action that has already been executed before any human reviews it.
The sixth is cascading failures across agent chains. As enterprises deploy multiple AI agents that interact with each other, one agent's output becoming another agent's input, the potential for errors, manipulations, or failures to cascade through connected systems increases substantially. Rubrik's Agent Cloud governance platform was specifically designed to address this risk, offering instant action reversal and automated discovery for exactly these scenarios.
Zero Trust as the Governance Architecture for AI Agents
The foundational recommendation Pandey makes is to treat AI agents as untrusted actors within the enterprise security architecture, applying Zero Trust principles specifically to agent identity and access. Every action an AI agent takes must be explicitly authorised based on current context, rather than relying on standing permissions granted at deployment. This is the same foundational principle outlined in MENA Cyber Wire's Zero Trust guide for GCC enterprises, applied specifically to the AI agent context.
Zero Trust for agentic AI involves several concrete controls. Identity and access management must be applied to AI agent accounts with the same rigour applied to privileged human users, including just-in-time access provisioning, time-limited tokens, and automatic access revocation when an agent session ends. Every API call, database query, and system interaction made by an agent should be logged with sufficient detail to reconstruct the full action sequence in the event of an incident.
Encrypted data handling is required across all agent workflows. API security must include authentication, rate limiting, input validation, and anomaly detection on agent-initiated API traffic. Continuous monitoring of agent behaviour, with automated alerting for actions that deviate from defined parameters, provides the operational visibility needed to detect manipulation or malfunction before consequences escalate.
For high-risk actions, Pandey advocates explicit human approval gates as a non-negotiable architectural requirement. "Any decision with legal, financial, ethical, regulatory, or reputational consequences should not be fully delegated to AI. AI can still be useful in these areas. But the final decision should remain with qualified people who understand context, liability, and consequence."
The Risk Classification Model
The practical governance framework Pandey recommends is built around risk classification applied consistently across all agent use cases before deployment. Low-risk tasks, such as routine data processing, report generation, and information retrieval, can be automated with monitoring and periodic audit. Medium-risk tasks, including customer communications, supplier interactions, and internal escalations, require human review of the agent's proposed action before execution. High-risk tasks, such as regulatory filings, financial authorisations, employment decisions, and legal interpretations, require explicit human approval with a documented rationale before the agent proceeds.
This model is designed to ensure that the speed and efficiency gains from automation are captured at the levels where automation is safe, while preserving human judgment at the levels where the consequences of error are material.
Regulatory and Audit Obligations for GCC Enterprises
The governance question has a direct and immediate regulatory dimension for enterprises operating across the GCC. The UAE PDPL and Saudi Arabia's PDPD are both in active enforcement, with penalties now including criminal liability for certain categories of non-compliance. Both frameworks create obligations around data processing and algorithmic decision-making that apply directly to agentic AI deployments.
The UAE has already launched a national AI Test and Validation Lab with Cisco and Open Innovation AI to test, validate, and certify AI models and agents against UAE cybersecurity standards and global frameworks including ISO 42001 and NIST AI RMF. Organisations operating in the UAE that have not begun aligning their AI governance practices with these standards are already behind the curve.
International standards provide an additional layer of obligation. ISO/IEC 42001 requires organisations to demonstrate that AI systems are governed, monitored, reviewed, and improved systematically over time. The UAE Cyber Security Council's sovereign AI platform, launched at ISNR 2026, sets the standard for how AI governance should operate at the highest levels of government and critical infrastructure. Enterprise organisations should treat this as the directional signal for where regulatory expectations are heading.
"If an AI agent takes an action, the organisation must be able to explain what happened, what data was used, what control was in place, and who was responsible for the deployment," Pandey said. "Without traceability, organisations may struggle to investigate incidents, justify decisions, or prove compliance during audits."
Accountability Does Not Transfer to the AI
On the question of liability when an AI agent makes a biased, inaccurate, or non-compliant decision, Pandey is unequivocal: accountability does not transfer to the AI system. "Responsibility sits with the organisation, the business owners, and the teams that approved and deployed the system."
Every AI-driven action must be traceable through logs, decision records, approval workflows, and documented policies. There must also be a defined response process for AI failures, whether the issue is bias, inaccuracy, unauthorised action, or non-compliance, that assigns clear responsibility for investigation, remediation, and stakeholder communication. Vendor contracts may define certain obligations around model performance and data handling, but internal accountability cannot be outsourced through contractual arrangements.
What Mature Agentic AI Governance Looks Like
In a mature enterprise environment, Pandey describes agentic AI operating within tightly governed boundaries integrated across business, cybersecurity, compliance, and IT operations. AI agents assist with customer support routing, risk analysis, compliance monitoring, threat detection, workflow automation, and reporting, while all actions above a defined risk threshold require human approval before execution.
Every AI action is logged, monitored, and traceable through centralised governance dashboards. Access to sensitive systems is controlled through Zero Trust principles and role-based permissions reviewed and updated as agent use cases evolve. Policies, risk controls, and compliance standards are embedded into AI workflows at the design stage and validated through regular audits, model reviews, and adversarial testing.
"The goal should be to expand human capability, not remove human responsibility from decisions that require judgment," Pandey said. "The surest way to gain speed and efficiency without losing control is a human-led, AI-assisted model, with clear escalation paths, governance structures, access controls, and regular performance reviews."
For GCC security leaders looking to build out this governance model, the GCC AI sovereignty analysis published by MENA Cyber Wire provides a useful strategic framing: true autonomy and control in AI depends not on data location, but on who governs the encryption keys, identity frameworks, and operational controls of the systems themselves.
Layla Haddad
Cyber Policy & Digital Risk CorrespondentLayla Haddad covers cybersecurity regulations, data protection laws, and digital transformation initiatives across GCC and North Africa. She has worked closely with compliance teams, fintech startups, and government advisory groups. Her articles explore how cyber policy, AI governance, and privacy frameworks shape the region’s digital future.